XSS injection in JobHistoryParser
---------------------------------
Key: MAPREDUCE-2252
URL: https://issues.apache.org/jira/browse/MAPREDUCE-2252
Project: Hadoop Map/Reduce
Issue Type: Bug
Components: jobtracker
Affects Versions: 0.22.0
Reporter: Todd Lipcon
Priority: Critical
Fix For: 0.22.0
A malicious user can copy a job history file to another location to which both
the user and the JT have access to, and then modify the "taskid" field of a
"TaskStarted" event in the JSON to include a script tag. This will be printed
unescaped in the 500 error that is produced.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
